Today the Advocate General Bot's Opinion on Safe Harbor has been released, and it is making headlines! Why? Because: if the Opinion of the Advocate General is followed by the CJEU (see below), this
Today the Advocate General Bot's Opinion on Safe Harbor has been released, and it is making headlines! Why? Because:
In more detail, the Advocate General has found:
As such, if the Opinion is followed by the court in Europe, the practical implications for organisations sending personal data from Europe to the US and for those US organisations receiving the data are significant.
To rewind
One of the requirements for organisations in the EEA processing personal data under the EU Directive on the protection of personal data (95/46/EC) is to only transfer personal data to entities located outside the EEA if the recipient has "adequate" safeguards in place to protect EU citizen's personal data to the same standards as those in place in Europe.
The way this has usually worked to date is for organisations to proceed with one of three options:
These three options all have their pros and cons (see Phil Lee's post from April EU data exports - choosing the least worst option?).
Why is "Safe Harbor" considered to be 'safe'?
In 2000 the EU Commission decided (Decision 2000/520) that, provided a US company undertakes to comply with the Safe Harbor principles (which require them to implement certain measures in respect of the data they receive from the EU), then the data being transferred is "adequately" safeguarded. No further steps need to be taken. As such, the first choice (if the recipient is in the US) has always been to rely on the US organisation's Safe Harbor certification - and thousands of organisations in Europe do just that.
But is it really 'safe'?
The revelations by Edward Snowden changed the thinking around Safe Harbor somewhat! Suddenly EU citizens realised that if their data is sent to a company in the US then, even if that US company has signed up to Safe Harbor and promised to keep that data protected, it may still be accessed by US government authorities. Note that US companies self-certify themselves onto the Safe Harbor scheme and that there is limited oversight from public authorities in the US, although recently the FTC took some enforcement action in connection to Safe Harbor.
So what's been done about it?
Max Schrems, an Austrian citizen, concerned that Facebook Ireland was transferring his data to Facebook US (subject to Safe Harbor) and that the US authorities might be accessing that data asked the Data Protection Commissioner in Ireland to stop the transfers of his data from Facebook Ireland to Facebook US. The Data Protection Commissioner said "no can do" – the Commission's decision in 2000 could not be overruled – the Commissioner could not stop the transfer.
Mr Schrems sought a judicial review of this decision in the Irish High Court. The Irish High Court could only go as far as considering the position under Irish law, which they decided would be in favour of Mr Schrems, i.e. that the Commissioner should investigate.
The question referred for preliminary hearing to the Court of Justice of the European Union ("CJEU") (the EU equivalent of the US Supreme Court) was therefore whether, considering the fact that EU citizens' rights had been further enhanced by the passing of the EU Charter of Fundamental Rights, specifically Articles 7 and 8, since the Commission's original Safe Harbor decision in 2000, whether such a decision prevents a data protection authority from investigating whether it is truly "adequate" and from suspending the transfer of EU citizens' data if their privacy rights are threatened.
What does the Advocate General say?
The Advocate General has said that data protection authorities can investigate whether adequate safeguards are in place. Essentially, they are independent authorities and it is vital that they have the power to take steps to protect individuals' privacy rights. The Advocate General considers that if authorities were bound by Commission decisions then their ability to be independent would be curtailed, at the expense of individuals' privacy. It is therefore for the member state DPA and the Commission to each decide whether there is an adequate level of protection in place, protecting the data to a European standard in the recipient country.
If the authority's investigations reveal that the transfer of data is not carried out with adequate safeguards in place then the Advocate General's Opinion is that the transfer should be suspended. The CJEU can then be asked to assess the adequacy of the Commission decision.
So is the Harbor 'safe' anymore?
The Advocate General thinks not. In particular, for these reasons:
As such, the Advocate General considers that Decision 2000/520 should be declared invalid. The level of protection afforded by a third country may change over time and so the threshold for adequacy must develop with it, i.e. the Commission's decision should be amended as and when required.
What's the impact?
The Attorney General's Opinion is not binding on the CJEU, it is merely to help the court make its mind up. It is now for the CJEU to make a decision on the validity of Decision 2000/520. If the CJEU decides to follow the Opinion, then the impact will be huge.
For organisations relying upon Safe Harbor to transfer data to the US, a suspension of the Safe Harbor framework would mean that all such transfers would be in breach of EU data protection laws. An alternative safeguard would immediately need to be put in place – either EU model clauses or BCRs - assuming the Commission does not conclude its Safe Harbor 2.0 negotiations with the US Department of Commerce soon.
Although the CJEU has previously declined to follow an Opinion from the Attorney General, the fact that Safe Harbor has been found invalid by the Attorney General still provides ammunition to those in Europe who are sceptical about Safe Harbor, such as local data protection authorities. US organisations will also need to be prepared for an alternative means of safeguarding personal data to be high up on their customers' wish lists. Safe Harbor looks like it will no longer cut it.
- if the Opinion of the Advocate General is followed by the CJEU (see below), this will be the end of Safe Harbor (at least until the US and EU agree Safe Harbor version 2.0);
- even if the Opinion is not followed this is more fuel for the fire for Safe Harbor sceptics.
In more detail, the Advocate General has found:
- that a decision by the EU Commission that "adequate" safeguards are in place to protect personal data being transferred outside the EEA (such as where a US recipient is Safe Harbor certified) does not stop European data protection authorities from independently deciding that those safeguards are not "adequate" and suspending the transfer of the data; and
- that the EU Commission decision made in 2000 finding the US Safe Harbor certification scheme to provide adequate safeguards is "invalid".
As such, if the Opinion is followed by the court in Europe, the practical implications for organisations sending personal data from Europe to the US and for those US organisations receiving the data are significant.
To rewind
One of the requirements for organisations in the EEA processing personal data under the EU Directive on the protection of personal data (95/46/EC) is to only transfer personal data to entities located outside the EEA if the recipient has "adequate" safeguards in place to protect EU citizen's personal data to the same standards as those in place in Europe.
The way this has usually worked to date is for organisations to proceed with one of three options:
- rely on the recipient's Safe Harbor certification for transfers to the United States of America ("US");
- execute an agreement based on the EU Commission's Model Clauses; or
- implement Binding Corporate Rules.
These three options all have their pros and cons (see Phil Lee's post from April EU data exports - choosing the least worst option?).
Why is "Safe Harbor" considered to be 'safe'?
In 2000 the EU Commission decided (Decision 2000/520) that, provided a US company undertakes to comply with the Safe Harbor principles (which require them to implement certain measures in respect of the data they receive from the EU), then the data being transferred is "adequately" safeguarded. No further steps need to be taken. As such, the first choice (if the recipient is in the US) has always been to rely on the US organisation's Safe Harbor certification - and thousands of organisations in Europe do just that.
But is it really 'safe'?
The revelations by Edward Snowden changed the thinking around Safe Harbor somewhat! Suddenly EU citizens realised that if their data is sent to a company in the US then, even if that US company has signed up to Safe Harbor and promised to keep that data protected, it may still be accessed by US government authorities. Note that US companies self-certify themselves onto the Safe Harbor scheme and that there is limited oversight from public authorities in the US, although recently the FTC took some enforcement action in connection to Safe Harbor.
So what's been done about it?
Max Schrems, an Austrian citizen, concerned that Facebook Ireland was transferring his data to Facebook US (subject to Safe Harbor) and that the US authorities might be accessing that data asked the Data Protection Commissioner in Ireland to stop the transfers of his data from Facebook Ireland to Facebook US. The Data Protection Commissioner said "no can do" – the Commission's decision in 2000 could not be overruled – the Commissioner could not stop the transfer.
Mr Schrems sought a judicial review of this decision in the Irish High Court. The Irish High Court could only go as far as considering the position under Irish law, which they decided would be in favour of Mr Schrems, i.e. that the Commissioner should investigate.
The question referred for preliminary hearing to the Court of Justice of the European Union ("CJEU") (the EU equivalent of the US Supreme Court) was therefore whether, considering the fact that EU citizens' rights had been further enhanced by the passing of the EU Charter of Fundamental Rights, specifically Articles 7 and 8, since the Commission's original Safe Harbor decision in 2000, whether such a decision prevents a data protection authority from investigating whether it is truly "adequate" and from suspending the transfer of EU citizens' data if their privacy rights are threatened.
What does the Advocate General say?
The Advocate General has said that data protection authorities can investigate whether adequate safeguards are in place. Essentially, they are independent authorities and it is vital that they have the power to take steps to protect individuals' privacy rights. The Advocate General considers that if authorities were bound by Commission decisions then their ability to be independent would be curtailed, at the expense of individuals' privacy. It is therefore for the member state DPA and the Commission to each decide whether there is an adequate level of protection in place, protecting the data to a European standard in the recipient country.
If the authority's investigations reveal that the transfer of data is not carried out with adequate safeguards in place then the Advocate General's Opinion is that the transfer should be suspended. The CJEU can then be asked to assess the adequacy of the Commission decision.
So is the Harbor 'safe' anymore?
The Advocate General thinks not. In particular, for these reasons:
- US authorities have been accessing EU citizens' data processed by Safe Harbor companies under the PRISM programme: (a) where not "strictly necessary"; (b) on a "casual or generalised" basis; (c) without an objective assessment on the grounds of national security etc.; and (d) without citizens having any judicial redress;
- the Decision does not establish clear rules on when/how interference with the fundamental privacy and data protection rights under the Charter may be justified and as such the interference was not limited in this case to what was strictly necessary and proportionate; and
- the Commission should by now have suspended the Safe Harbor Framework and adapted the Decision.
As such, the Advocate General considers that Decision 2000/520 should be declared invalid. The level of protection afforded by a third country may change over time and so the threshold for adequacy must develop with it, i.e. the Commission's decision should be amended as and when required.
What's the impact?
The Attorney General's Opinion is not binding on the CJEU, it is merely to help the court make its mind up. It is now for the CJEU to make a decision on the validity of Decision 2000/520. If the CJEU decides to follow the Opinion, then the impact will be huge.
For organisations relying upon Safe Harbor to transfer data to the US, a suspension of the Safe Harbor framework would mean that all such transfers would be in breach of EU data protection laws. An alternative safeguard would immediately need to be put in place – either EU model clauses or BCRs - assuming the Commission does not conclude its Safe Harbor 2.0 negotiations with the US Department of Commerce soon.
Although the CJEU has previously declined to follow an Opinion from the Attorney General, the fact that Safe Harbor has been found invalid by the Attorney General still provides ammunition to those in Europe who are sceptical about Safe Harbor, such as local data protection authorities. US organisations will also need to be prepared for an alternative means of safeguarding personal data to be high up on their customers' wish lists. Safe Harbor looks like it will no longer cut it.